Monthly Archives: June 2014

When is a number not a number? When it’s a placeholder. When it’s zero. Zero being precisely the number of recorded instances of harm befalling a human as a result of actual real world exploitation of the Heartbleed vulnerability.

Heartbleed was a vulnerability. Not a risk. As professionals, we know that risk is a function of an indivisible compound of vulnerability with threat. We further know that threat itself is a function of a further indivisible compound of an attacker with both the capability and the intent to act on their nefarious desires. A vulnerability in the absence of threat is not a risk. Prior to the media storm visited needlessly upon the world, few if any, including the threat actors, even knew of its existence.

Heartbleed was real. A serious vulnerability to an important web service. Limited exploitation of the vulnerability had the potential to enable wrong doers with sufficient intent and capability to do harm to individuals. Unchecked exploitation would certainly have temporarily have dented trust in the Internet. Prolonged or massive financial loss as a result of significant exploitation could have had serious macro-economic or social consequences and might even have damaged public trust and confidence in the advice of IT and cyber security experts. It demanded a serious, thoughtful, considered, measured, balanced, co-ordinated, proportionate and professional response from these experts. Which is precisely the opposite of what happened.

We, the community of IT and cyber security experts turned the volume up to eleven on this one. Us, not the bad guys. As experts, we competed to command ever more extravagant hyperbole. In concert, we declared this “catastrophic”. In a post Snowden world it was inevitable that the dark ink of conspiracy theory would cloud the story as fast as the Internet could carry it. And yet, nothing bad actually happened. We rushed to spread fear, uncertainty and doubt in knowing defiance of the available evidence. Perhaps because of the absence of evidence.

We did succeed in scoring two own goals. Firstly, we needlessly spread fear, uncertainty and doubt. Arguably far more effectively than anyone other than the most sophisticated attacker could have done. Secondly, we gave further credence to the growing sense that this is all we can do. There is a view, dangerous and mistaken but nonetheless credible and growing, that we turn the volume up to eleven to crowd out the silence of our own ignorance and incompetence.

Molly Wood writing about Heartbleed in the business section of the “New York Times” on 14th April 2014 observed with regret that “what consumers should do to protect their own information isn’t … clear, because security experts have offered conflicting advice”. Adding that, despite the hype, “there is no evidence it has been used to steal personal information.” We undermined public trust and confidence in the Internet; and in ourselves.

What we do is important because the systems we are responsible for securing and managing are important. They are the beating heart of the Internet and this is the nervous system of the cyber phenomenon. The Internet alone is of societal, if not existential, importance. Cyber is transformative. Without us, or at least without some of us, the world would be less safe and less secure than it is. However, it needs to be safer and more secure than it is. More of us need to do a better job.

The net effect of Heartbleed, the real catastrophe, has been yet another self-inflicted wound to the already badly damaged credibility of the community of security experts. We cannot sustain many more of these injuries before the credibility of our community as a whole falls victim to our seemingly suicidal instincts.

If we want to be taken seriously and treated as professionals, it’s time we started to behave like professionals. We need to stop crying wolf and start giving answers to the difficult questions we have been avoiding for far too long. How do we actively enable cyber democracy?

It is now time to start the process of moving towards the creation of a professional governance body with the same kind of power and status as, for instance, the Law Society or the General Medical Council. Embracing willingly and freely all of the consequences around regulation, licensing and liability that this will bring. Time to stop crying cyber wolf. Time for the snake oil merchants to find another Wild West.

Finding its roots since time immemorial, criminal activity has always been part of a cat-and-mouse game with Justice. In the last decades, we have seen this game gradually transposed to the cyber domain as well, where crime discovered a new and broad field for its perpetration. Never was it so easy to find a new victim or a group of victims – they are in reach of a criminal’s fingers –and never was it so easy for criminals to hide their whereabouts and identities.

Though in this cat-and-mouse game our investigative techniques and tools have evolved with time, so have the modus operandi of cyber criminals. We need to admit that we are facing some interesting challenges. No, we are not talking about the classic “It wasn’t me, it was a Trojan in my computer!” argument. We are talking about a wealth of hiding mechanisms like anonymous proxies, compromised computers, public internet cafes (virtually, we have internet access everywhere!) and anonymity networks like Tor, i2p and Freenet, all of them being misused and making life harder for law enforcement. Criminals are enjoying all these means with a unique sense of freedom and impunity to promote a black market and sell drugs, guns, criminal services, organ trafficking and share child pornography.

Actually, these mechanisms are being used by a broader group, classified as “cyber offenders” in this article and related literature. This group of individuals includes not only typical cyber criminals, but also state-sponsored actors who engage on attacks against foreign critical infrastructures as well hacktivists spreading their word and launching DDoS attacks against their target of choice. It does not matter which class of individual we are dealing. When we need to figure out who is behind that masked IP address in our log files or who is behind that fake Twitter account, the “attribution problem” rises.

While dealing with such challenge, maybe we should think whether we are overlooking all those roots of criminal activity – offender activity here – and how they usually can be manifested in a crime scene. The cyber offender is clearly enjoying some advantages, so we need to adapt ourselves. As said by Collin Willians in the welcome message of this magazine’s first issue, “we must re-think our approach to the pursuit of the safety and security of the human experience in the cyber domain.” It makes sense here.

A digital crime scene is still a crime scene, and a digital crime (or digital offense, in broad terms) is still an act that has at least a minimum of planning, counts on at least a minimum of resources and it is committed by an individual or a group of individuals with specific motivations. We should agree that most methods and tools are new on cybercrimes, but when we are talking about revenge, activism, challenge, profit… hmm… these motivations don’t seem to be so new… they are inherent to the human being. Risk appetite, attack inhibitors? They are too.

Since technology is therefore just a means to commit a crime, we should revisit some useful approaches to deal with traditional crimes and analyse whether they could be of help while dealing with cybercrimes as well. When all types of crimes or offensives share some features – like human motivations, human traits expressed through behavior evidence in a crime scene, signature aspects (just to name a few) – we should mention for sure the scientific discipline of Criminal Profiling. The study of the criminal behavior and its manifestation in a crime scene has been explored for more than a century by the discipline, which infers a set of traits of the perpetrator or group of perpetrators of a crime by the examination of the criminal evidence available.

This set of traits – a “profile” – can be elaborated containing features like skills, resources available, knowledge, motivations, whereabouts and so on, depending on the evidence available and depending on which conclusions we could reach about them. Then, this profile becomes a valuable additional tool to assist investigations – with at least 77% rate of success according to a research done in the 90’s (Theodore H. Blau). With this encouraging numbers, and knowing that cybercrimes share some roots with traditional crimes, the idea is to apply the same concepts on digital investigations. According to the literature, the main objectives that can be achieved by applying profiling on investigations are:

Narrowing down the number of suspects

Linking cases that seem to be distinct

Helping define strategies of interrogation

Optimizing investigative resources (e.g., “let’s focus on where we have more chances to find evidence”)

Help develop investigative leads to unsolved cases

Actually, advantages are not restricted to digital investigations. When we have a profile of a cyber offender in hand, we are able to develop better countermeasures against their attacks. This is especially important when we are dealing with advanced offenders, like APT.

The good news when we talk about how broad the options are for cyber offenders to hide themselves behind computer attacks is that profiling can be a broad tool as well. Recalling the Locard Exchange Principle, the offender always leaves traces in the crime scene. And some of them can be of behavioral nature. Depending on the level of interaction an attacker has in a digital offense (e.g. a manual attack VS an automated attack – or a single web defacement VS an attack that involves a huge team of skilled offenders and many interactions with the target), we could have different levels of traces left on log files, network traffic, social networks, chat networks, file systems of compromised machines, e-mail messages, defaced websites, instant messaging… Therefore the mindmap below is just a non-exhaustive set of features that we can explore and work on:

Going deep, the following list is a very small set of examples that we can search for during the investigation to help populate our mindmap:

Analysing the time between probes in a port scanning

Identifying motivation [revenge, curiosity, challenge, profit, to be part of a group, usage of computer resources, platform to launch other attacks, dispute between individuals or hacking groups, profit, cyber terror, hacktivism, cyber warfare…]

Identifying the type of tools employed during an attack and evaluating their availability (public? comercial? restricted?), required knowledge to operate (Tom Parker has a very good research on this topic)…

Analysing offender activities on social networks, ranging from their first followers/following, closest contacts, word frequency, periods of the day in which activities are more intense, evidence of planning actions etc…

Analysing global or regional political/social/religious/economical events that could influence in the commission of the offensive

The topic is vast and encouraging and we can go much further. But the final message here is: We know that there are a multitude of means and technologies that are being (and will be) used by offenders on the perpetuation of their actions. But we need to know that there is a multitude of means to catch them as well.

Author: Lucas Donato

Lucas Donato, CISSP, CRISC, is an information security consultant who currently works at a Brazilian bank. In the last ten years he has been involved with penetration testing, vulnerability assessments, incident response and digital investigations for some of the biggest Brazilian companies. Nowadays, he is pursuing his PhD degree at the Cyber Security Centre of De Montfort University, exploring the ins and outs of criminal profiling applied to digital investigations.

We are the experts. The controlling minds of the institutions of the state, of society and the economy; and those who offer them sage counsel. The technocratic elite of computing, and of cyber security.

We are Generation X. Our grasp of the levers of power and influence is temporary, and we have been served our notice by Generation Y. These Millennials are impatient for control. We have a finite and diminishing period in which to contribute to the solution of the problems of our time and so control our legacy. Our context was forged during the Cold War. The world we made, the time and space we lived in, and the ways in which we sought to make sense of it all were given their shape and form by a context. A context within which we were simultaneously subjects and objects; we made it as much as it made us.

We are beginning to apprehend the enormity of the transformations of the Information Age. Now, belatedly, we catch our first true glimpse of the gaping chasm separating us from the Millennials. We are easy prey to the collective paralysis of future shock. The symmetry, clarity, predictability and certainties of the Cold War appear comforting. A world of clear and certain binary choices; of absolutes of right and wrong. Of survival or total destruction. Bunkers of the mind are as real as those of steel and concrete. The one the tomb of the intellect as the other was the tomb of hope.

The UK and US governments constituted the dominant protagonists in the NATO alliance, the anchor points of the economically and culturally dominant Atlantic axis, and the powerhouses of the post war development of computers. Across the span of the Cold War, US and UK government spending in general, and defence and intelligence spending in particular, dominated and shaped computing. The computers of the Cold War were an intrinsic and indispensable part of the existential struggle that defined the twentieth century. These governments spent according to their established patterns, within the dominant macro-economic structures of the age, and according to the imperatives of the Cold War.

The business of computing followed the pattern of the age. The supply chain for computers was vertically integrated. Narrow, short and almost entirely knowable. Little of the work went beyond the commercial boundaries of the principal players and when it did, it did not stray far. The entire supply chain, should, and could, be mapped. From research and development, through to specification, implementation, testing, integration, operation and disposal; the system life cycle was predictable. The supply chain a part of the deterministic system as a whole. The idea of a complex matrix of volatile, recursive and nested sub contracts and outsourced obligations, if it occurred at all, would have been a nightmare of apocalyptic proportions.The vertical integration of the sort common across the military industrial complex of the Cold War has gone. Outsourcing, globalisation, just in time disciplines, the emergence of what were once developing economies as principal actors in shifting patterns of geo-political power; have all converged to produce a supply context of bewildering complexity. The supply cartography of our context is essentially unknowable, partly because of its intrinsic and accumulated complexity, and partly because of its volatility. Whereas the commercial relationships of the vertically integrated constructs of the Cold War prized stability and longevity, those of the Information Age thrive on velocity. In the Machine Age we etched company names in stone, inscribed job titles in brass plates and kiln fired enamel adverts with retail prices emblazoned in ceramic permanence. Now, our advertising hoardings are computer monitors; facets of the cyber phenomenon. Our Millennial staff, entangled in patterns of loyalty utterly different to ours.

Cyber is about far more than computers and computer networks, however vast, far reaching and powerful they are. It is about far more than the Internet; whether of information or of things. It is about far more even than the laggardly realisation that the great interconnectedness of everything encompasses ICS and SCADA systems and, therefore, the totality of the critical infrastructure of every nation on earth. Humanity is existentially reliant upon cyber.

Micro fabrication will, within decades, destroy, disrupt and recreate entire swathes of economic activity; whilst creating entirely new ones. Our lack of understanding of the cyber supply chain is already scaring us and yet we only have a few years until computers will be manufactured in homes around the globe as easily as we now print off airline boarding passes. We have only begun to experience the first tingling of what will become abject terror at the prospect of the impact on structures of warranty, indemnity and liability of a supply chain where spare and replacement parts for critical systems are locally fabricated using binaries downloaded from the Internet and so utterly devoid of provenance or attestations of fitness for purpose.

There are three established streams of our concern about the supply chain. The first, and most acute, is that we see the supply chain itself as a source of vulnerability and risk to the operation of the critical computer systems themselves. The whispered fear is that of malware lodged deep in silicon by a powerful nation state adversary. A legion of cyber sleepers invisibly infiltrated in to every one of the computing devices upon which we know we depend. The hidden menace. Living undetectably amongst us, silently awaiting remote activation. Alien invaders capable of bringing about our total destruction.

The second is that we see the supply chain as a vector for the execution of the intention of hostile actors such as criminals and intelligence agencies. Here the recent thefts from the Port of Antwerp stand as the exemplar. The third is the damage sustained if the supply chain itself ceased to operate and the supply of computing technology was threatened.

In addition, there is now an emerging stream of concern about the vulnerability of the supply chain to infiltration by counterfeits and forgeries of the products of established and trusted brands. This will mature rapidly to reciprocate and magnify the first and foremost of our concerns.

Our anxiety is amplifying, edging us closer to a ‘something must be done’ response to a sense of impending crisis. We must now pause and ask ourselves this; to what extent is this sense of crisis borne out by evidence and analysis? Or, from a different direction; to what extent is our sense of crisis the result of a panic reaction to a new context that we neither understand nor control? To what extent are we victims of future shock? Are we holding ourselves prisoner in Cold War bunkers of the mind?
There is no doubting either the complexity of our supply chains or the fact of the existence of manifest vulnerabilities. Computers are artefacts of profound and increasing supply chain complexity. Supply chains are atomised, fragmented, volatile, unpredictable and unknowable. Key components are, and will continue to be, designed and manufactured across the globe. And so in areas where those with hostile intentions towards liberal democracy can operate with greater tolerance and latitude than would be possible in the established heartlands of these democracies. The location of assembly of the components in to a finished market ready device, is in terms of the assurance of the supply chain, irrelevant. Assurance models predicated on the susceptibility of devices, let alone systems, to code or component level recursive analysis are, at best, redundant.

Assertions of the abstract fact of the existence of vulnerability devoid of context, data, or substantive rational argument, are as useless in generating meaningful utility as they are attractive to those with something to sell. Even in the most benign of circumstances they are an insufficient basis for action. In times of limited resources they can easily become the cause of costly and unproductive failures. When the subject of concern is itself a societally critical phenomenon then the raising of defences that will inevitably reduce the beneficial effects of the thing being protected should not be lightly undertaken. To destroy a thing in order to protect a thing is an unacceptable price to pay when we depend upon that which we defend for our very existence.

As I write this, the British Prime Minister, David Cameron, has just returned from leading a delegation of senior business leaders on a trade mission to China. He returned for the debate in Parliament on his coalition government’s Autumn Statement. Whilst in China, the Prime Minister faced down criticisms that he was sacrificing a commitment to human rights, asserting that he was “unapologetic” about his emphasis on the economy. Britain, he observed, is a “trading nation[1]”, and as such, whilst “some in Europe and elsewhere see the world changing and want to shut China off behind a bamboo curtain of trade barriers. Britain wants to tear those trade barriers down[2]”. During his trip, the Prime Minister pressed the Chinese authorities openly for a “proper cyber dialogue” whilst at the same time choosing to highlight that “we need … to up our investment in cyber security and cyber defence” because “there is an enormous amount of work to be done[3]”. The “Global Times”, a nationalist leaning tabloid owned by the Communist party ran an editorial arguing that “the Cameron administration should acknowledge that the UK is not a big power in the eyes of the Chinese. It is just an old European country apt for travels and study[4]”.

These stories encapsulate much of the difficult realities of our age. David Cameron travels toChina to bid for business. China needs access to the economies of Europe and America if it is to continue to grow just as it holds the old world in aloof contempt. David Cameron returns to the UK for a debate on a bill that legislates for further austerity in order to counter the effects of a financial crisis precipitated by a failure of the US and UK banking systems. The financial crisis itself revealing that a longer term strategic shift in the axis of geo-political and macro-economic power had been underway for many decades; masked latterly by a credit fuelled boom in consumer spending. Chinese concerns continue to invest heavily in overseas infrastructure of every sort; including the next generation of the UK’s nuclear power stations and the new high speed train system. The Internet would simply not exist without equipment of Chinese manufacture.

China and the world of which it is a part are locked together in indivisible interdependency. The rise of a middle class has been both predicate and consequence of the Chinese economic miracle. The Chinese middle class enjoy less direct political and societal power and influence than their equivalents in the liberal democratic heartlands. The key to the continued, relative, dormancy of the Chinese middle class is sustained and substantial economic growth. Affluence a necessary palliative to the frustrations of political impotence and essential to the deflection of the middle class from the leadership of populist protests. History teaches that an alienated and disenfranchised middle class make formidable leaders of those similarly alienated and disenfranchised elsewhere across society and that the exercise of such leadership is far more likely during periods of extended economic contraction. The political leadership of China has no rational interest in crippling or even seriously degrading the economies of the world upon which it depends for its very survival.

There is no doubt that bad things are happening and no doubt that they will continue to happen. Individuals, companies, social constructs and nations compete; using any and all means at their disposal. We need to gather more evidence than we currently possess about the nature of these bad things as they are manifest in the cyber domain. We must quantify and analyse data exfiltration rather than simply assert its, undoubted, existence. We must contextualise our analysis and root it in the reality of the world as it is, rather than the world we once knew. We must learn a far more nuanced way of thinking and a far more agile and responsive way of acting. We must relinquish the use of two dimensional categories such as ‘User’, and ‘State’, and ‘Non State’. They conceal more than they reveal; expose more than they protect.

In a minute number of cases it will be necessary to entirely internalise the cyber supply chain. To design and manufacture the silicon wafers themselves and assemble the finished computing devices under the tightest controls possible. To render every aspect of the process the subject of full disclosure and trusted hands. The costs of this, in every sense, will be astronomical; unsustainable beyond the tiny portion of the overall requirement for which they will be essential. System capability will be degraded, agility will be compromised, and any notion of a financially prudent return on investment will be laughable. Such efforts, necessary though they will be, must be confined to the absolute minimum. Any attempt to generalise such extreme remedial counter measures as a response to the great supply chain fear would represent an attempt at economic autarky. History repeatedly teaches that attempts to pursue such a strategy as anything other than a narrow and exceptional response to extreme conditions is doomed to fail, often precipitating crisis worse than that which it sought to avoid. Lessons that Kim Jong-un would do well to re-visit as he continues the practice of the Juche ideas he inherited from his father.

We must relinquish the legacy of the deterministic systems thinking that won us the Cold War and embrace instead the more subtle and less certain arts of the management of complex systems through the observation of effects and the generation of perpetual feedback cycles. We must actively enable the core structures of our systems to depend upon continuous modification of their own states. At the root of our fears about the vulnerabilities of the supply chain specifically, and of cyber more generally, is the apprehension that our adversaries have proven better able to exploit the true form of cyber than we have, and even less comfortably, the darker fear that the deep cause of our failure to counter the success of our adversaries is us.

The systems of the cyber domain are unimaginably complex and inextricably interconnected. Every nation, every society, every institution of the state, every individual, our entire global civilization, depends upon this new phenomenon. Thus arise a paradox deep at the heart of our primal fears about the security of the cyber supply chain. Given precisely this complexity, and interconnectedness, and existential dependence; then, if the core silicon is infected, the execution of the attack will destroy those who perpetrated the atrocity just as surely as it destroys those against whom it was aimed. Because of the atomised, fragmented and volatile nature of the modern supply chain, it is in principal possible to plant a latent attack capability at such a low level within systems that detection is indeed impossible. However, the execution of such an attack is, literally, a zero sum game. Or perhaps more accurately; an extinction level event.

The chaos of our cyber systems is a function of their complexity. Both complexity and chaos are at the heart of the transformative and empowering qualities of the cyber phenomenon. We must emerge from our deep state of shock and denial and use the very power we have come to fear. Cyber is not amenable to command and control. Rather it must be existed within; its effect observed and unceasingly managed. Cyber is a transformation in human affairs of at least equal significance to that of the Neolithic Revolution, the Reformation, the Enlightenment and the Industrial Revolution; combined. To the extent that the computer systems upon and within which cyber exists were once ours; they are no longer so. Cyber belongs to society. Cyber is society. Our job is now to enable and empower the evolution of society through the development of a safer human experience of cyber.